OpenClaw is an open source AI assistant framework that supports multi-model integration and multi-channel message distribution. Deploying OpenClaw on an ECS instance typically requires manually installing dependencies and configuring the model. You can use Cloud Assistant public commands to quickly install and deploy OpenClaw, and manage models, message channels, and the Gateway service.
Compatibility
Before you run public commands, make sure that the target ECS instances meet the following requirements:
Cloud Assistant status: The Cloud Assistant agent must be installed on the instance and be in a Normal state. If the agent is not installed, see Install the Cloud Assistant Agent.
Network: The instance must have Internet access to pull OpenClaw dependency packages and model configurations.
Supported operating systems
Operating system | Supported versions | Public command |
Linux | Alibaba Cloud Linux 3, Ubuntu 22.04/24.04, Debian 12, Rocky Linux 8/9, AlmaLinux 8/9, and CentOS Stream 8/9 |
|
Windows | Windows Server 2016 (standard edition) or later |
|
Windows instance limitations:
1. Due to OpenClaw limitations, the Gateway starts only after a user logs on to the desktop. Before you run the related commands, make sure that a user is logged on.
2. You must specify a username (such as Administrator) to run the Windows command. Running the command as the default system user is not supported. To use a standard user, see Configure a regular user for Windows instances.
Install and deploy
We recommend that you use an ECS instance with at least 4 vCPUs and 4 GiB of memory. If you use a shared instance type (such as the ecs.t6 or ecs.s6 series), we recommend that you select a larger instance size to ensure installation and runtime stability.
Console
Go to the ECS console - Cloud Assistant page.
Click the Common Commands tab, enter the command keyword in the search box, such as
ACS-ECS-InstallOpenClaw-for-linux.sh / windows.ps1, and click Run on the target public command card.In the Run Command dialog box, configure the execution parameters (such as Username, Timeout, and Command Parameters), and then select the ECS instances on which you want to install OpenClaw. The following command parameters are supported:
INSTALL_METHOD: The installation method. Set this to plugin.AUTH_CHOICE: For more information, see Supported model providers.API_KEY: The API key of the provider. To use encrypted transmission, see How do I use an encrypted API key?.
Click Run. On the Command Execution Result tab, check the execution status.
Execution succeeded: OpenClaw has been installed. To remotely access the OpenClaw Dashboard, see How do I remotely access the WebUI after installing OpenClaw?
Execution failed: Troubleshoot based on the task output and Cloud Assistant logs. For more information, see Why does a public command fail?
(Optional)After installation, OpenClaw uses the default model of the provider. You can use the Model viewing and switching command to view the current default model and configuration (
ACTION=status), list configured models (ACTION=list), or switch the default model (ACTION=switch).
CLI
View the public command information.
Run the following command to view the details of the
ACS-ECS-InstallOpenClaw-for-linux.shpublic command:aliyun ecs DescribeCommands \ --RegionId 'cn-hangzhou' \ --CommandId 'ACS-ECS-InstallOpenClaw-for-linux.sh'The CommandId of other commands follows a similar format, such as
ACS-ECS-OpenClawModel-for-linux.sh.Run the public command to install OpenClaw.
Replace the region ID and instance ID in the following example with actual values. You can find the region ID in the upper-left corner of the console. The instance ID is available on the Instances page.
To install on multiple instances at once, specify multiple instance IDs using the
--InstanceId.Nparameter. A maximum of 100 instances are supported.aliyun ecs InvokeCommand \ --RegionId '<RegionId, e.g. cn-hangzhou>' \ --CommandId 'ACS-ECS-InstallOpenClaw-for-linux.sh' \ --InstanceId.1 '<InstanceId, e.g. i-bp1xxxxxxxxxxxx>'To configure a model during installation, we recommend using an encrypted API key instead of a plaintext key. For more information, see How do I use an encrypted API key?
View the execution result.
After the command is executed, an
InvokeIdis returned. Use this ID to query the execution result:aliyun ecs DescribeInvocationResults \ --RegionId '<RegionId>' \ --InvokeId '<InvokeId, e.g. t-hz0xxxxxxxxxxxx>'In the response, the
Outputfield contains the standard output of the script, and theErrorInfofield contains error information.
After installation, to remotely access the OpenClaw Dashboard, see How do I remotely access the WebUI after installing OpenClaw?
Other operations
Search for the command in Cloud Assistant public commands, configure the parameters as instructed, and then run the command.
Model viewing and switching
Public command: ACS-ECS-OpenClawModel-for-linux.sh / windows.ps1
Manage configured models: list models, view their status, switch the default model, and add providers.
Quick examples
When you run the command in the console, set the parameters as follows:
List configured models: Set
ACTIONtolist. Leave other parameters empty.View configuration status: Set
ACTIONtostatus. Leave other parameters empty.Switch the default model: Set
ACTIONtoswitch, and setMODEL_IDto the target model (such asmodelstudio/qwen3.5-plus). RunACTION=listfirst to query available model IDs.Add a model provider: Set
ACTIONtosetup, setAUTH_CHOICEto the provider identifier (such asmodelstudio-standard-api-key-cn), and setAPI_KEYto the corresponding API key.
For more actions and parameter details, see the tables below.
Actions
ACTION | Description | Required parameters | Optional parameters |
| Lists configured models. | - | OUTPUT_FORMAT |
| Views the configuration status and authentication overview. | - | OUTPUT_FORMAT |
| Switches the default model. | MODEL_ID | - |
| Configures a model provider. | AUTH_CHOICE | See Parameters. |
Parameters
Parameter | Description | Valid values / Examples |
| The action type (required). | list / status / switch / setup |
| The output format. | json / plain (default: table) |
| The target model ID. Required for the switch action. Format: provider/model-name. You can run | Example: modelstudio/qwen3.5-plus |
| The authentication method. Required for the setup action. | |
| The API key. We recommend using ENCRYPTED_API_KEY instead. | - |
| The encrypted API key. Specify either API_KEY or ENCRYPTED_API_KEY. You can generate an encrypted key using Encrypt command content. | |
| The Cloud Assistant data encryption key pair ID. Required when you use ENCRYPTED_API_KEY. | t-hy03a65fmrd**** |
| The API endpoint URL for a custom provider. Required when AUTH_CHOICE is custom-api-key. | - |
| A user-defined identifier for the custom provider. Required when AUTH_CHOICE is custom-api-key. | - |
| The API protocol compatibility mode for a custom provider. Determines whether the OpenAI or Anthropic API format is used. | openai (default) / anthropic |
Message channel management
Public command: ACS-ECS-OpenClawChannel-for-linux.sh / windows.ps1
Configure, query, and manage message channels (Feishu, WeCom, QQ, and DingTalk).
Quick examples
When you run the command in the console, set the parameters as follows:
List configured channels: Set
ACTIONtolist. Leave other parameters empty.View connection status: Set
ACTIONtostatus. To probe credential validity, setPROBEtotrue.Configure a Lark channel: Set
ACTIONtosetup, setCHANNEL_TYPEtofeishu, setPARAM_IDto your Lark App ID, and setPARAM_SECRETto the App Secret. For other channel types, see Channel types and credential mapping.View a channel's configuration: Set
ACTIONtoget, and setCHANNEL_TYPEto the channel type (such asfeishu).Disable a channel: Set
ACTIONtoremove, and setCHANNEL_TYPEto the channel type to disable (such asdingtalk).
For more actions and parameter details, see the tables below.
Actions
ACTION | Description | Required parameters | Optional parameters |
| Lists configured channels. | - | OUTPUT_FORMAT |
| Checks the connection status. | - | OUTPUT_FORMAT, PROBE |
| Configures a channel. | CHANNEL_TYPE + credentials | KEY_PAIR_ID |
| Retrieves configuration information. | CHANNEL_TYPE | OUTPUT_FORMAT |
| Disables a channel. | CHANNEL_TYPE | - |
Parameters
Parameter | Description | Valid values |
| The action type (required). | list / status / setup / get / remove |
| The channel type. Required for setup/get/remove. | |
| The primary credential. | Varies by channel. See Channel type and credential mapping. |
| The secondary credential (see mapping table below). We recommend using ENCRYPTED_PARAM_SECRET instead. | - |
| The encrypted secondary credential. | Specify either PARAM_SECRET or ENCRYPTED_PARAM_SECRET. You can generate an encrypted credential using Encrypt command content. |
| The Cloud Assistant data encryption key pair ID. Required when you use ENCRYPTED_PARAM_SECRET. | Required when you use an encrypted credential. |
| The output format. | json / plain |
| Checks if the credential is valid. Valid only for the status action. | true / false (default) |
Channel type and credential mapping
CHANNEL_TYPE | PARAM_ID | PARAM_SECRET | Additional behavior |
| App ID | App Secret | Automatically enables the Feishu plugin. |
| Bot ID | Bot Secret | Automatically installs @wecom/wecom-openclaw-plugin. |
| App ID | Client Secret | Automatically installs @tencent-connect/openclaw-qqbot. |
| Client ID | Client Secret | Automatically installs @dingtalk-real-ai/dingtalk-connector. |
Gateway service management
Public command: ACS-ECS-OpenClawGateway-for-linux.sh / windows.ps1
Manage the Gateway service: start, stop, install/uninstall as a system service, run in the background, and access the Dashboard.
Quick examples
When you run the command in the console, set the parameters as follows:
Start Gateway: Set
ACTIONtostart. Leave other parameters empty.View Gateway status: Set
ACTIONtostatus. To perform a deep check, setDEEPtotrue.Restart Gateway: Set
ACTIONtorestart. Leave other parameters empty.Get the Dashboard URL: Set
ACTIONtodashboard. Leave other parameters empty.Register as a system service (auto-start on boot): Set
ACTIONtoinstall. To specify a port, setPORT(default: 18789).
For more actions and parameter details, see the tables below.
Actions
ACTION | Description | Optional parameters |
| Starts the Gateway. | - |
| Stops the Gateway. | - |
| Restarts the Gateway. | - |
| Checks the status and performs an RPC probe. | DEEP, OUTPUT_FORMAT, TIMEOUT |
| Installs the Gateway as a system service. | PORT, FORCE |
| Uninstalls the system service. | - |
| Runs the service in the background (for non-systemd environments). | PORT, BIND, FORCE |
| Retrieves the Dashboard URL. | - |
Parameters
Parameter | Description | Valid values |
| The action type (required). | start / stop / restart / status / install / uninstall / run / dashboard |
| The port number (default: 18789). | - |
| The bind mode (run action only). | loopback (default) / lan / auto |
| Forces execution, ignoring existing running instances or service registration conflicts. | true / false (default) |
| Performs a deep scan of the system service (status action only). | true / false (default) |
| The output format (status action only). | json |
| The probe timeout in seconds (status action only). | - |
Diagnosis and health check
Public command: ACS-ECS-OpenClawDiagnose-for-linux.sh / windows.ps1
Run health checks, view system status, and automatically repair common issues.
Quick examples
When you run the command in the console, set the parameters as follows:
Run a health check with auto-repair: Set
ACTIONtodoctor, and setFIXtotrue. For a deep scan, setDEEPtotrue.View system status overview: Set
ACTIONtostatus. Leave other parameters empty. For full diagnostics, setALLtotrue.Check Gateway health: Set
ACTIONtohealth. Leave other parameters empty.
For more actions and parameter details, see the tables below.
Actions
ACTION | Description | Optional parameters |
| Health check and automatic repair. | FIX, DEEP |
| System status overview. | OUTPUT_FORMAT, ALL, DEEP, TIMEOUT |
| Gateway health status. | OUTPUT_FORMAT, TIMEOUT |
Parameters
Parameter | Description | Valid values |
| The action type (required). | doctor / status / health |
| Enables automatic repair (doctor action only). | true / false (default) |
| Enables a deep scan (doctor/status). | true / false (default) |
| The output format. | json |
| Enables a full diagnosis (status action only). | true / false (default) |
| The timeout in seconds (status/health). | - |
Uninstall and clean up
Public command: ACS-ECS-UninstallOpenClaw-for-linux.sh / windows.ps1
This command uninstalls OpenClaw. It first detects and removes the Cloud Assistant plugin. If a plugin installation is not found, it runs npm uninstall -g openclaw.
Quick examples
When you run the command in the console, set the parameters as follows:
Uninstall OpenClaw (keep configuration): Leave all parameters empty and run the command. Configuration data is retained in the ~/.openclaw directory for future reinstallation.
Uninstall and remove all data: Set
REMOVE_WORKDIRtotrueto completely delete the working directory and configuration data.
For more parameter details, see the table below.
Parameters
Parameter | Required | Description |
REMOVE_WORKDIR | Optional | Specifies whether to remove the ~/.openclaw working directory.
|
If you need to uninstall OpenClaw due to an API key leak or a security incident, make sure to set REMOVE_WORKDIR to true to completely remove credential data from disk.
FAQ
Why does a public command fail?
Common causes of failure include:
Invalid API key: The AUTH_CHOICE value does not match the actual provider, or the key has expired or is in an incorrect format.
Port conflict: Port 18789 is already in use. Run the following command to check:
Linux:
netstat -tlnp | grep 18789Windows:
netstat -ano | findstr 18789
Slow installation on Windows: We recommend adding the OpenClaw installation directory (by default
C:\Users\<Username>\.openclaw) to the Microsoft Defender real-time protection exclusion list. We do not recommend directly disabling real-time protection.
For more information about troubleshooting, see View execution results and troubleshoot.
How do I remotely access the WebUI after installing OpenClaw?
After OpenClaw is installed, the Gateway service listens on 127.0.0.1:18789 by default, allowing local access only. To remotely access the WebUI (Dashboard) over the Internet, use one of the following methods:
Method 1: SSH tunnel forwarding (recommended): Run the following command on your local terminal, and then access
http://localhost:18789in your local browser.ssh -L 18789:127.0.0.1:18789 root@<ECS public IP>Method 2: Connect to OpenClaw without public IP
Method 3: Change the Gateway bind mode to LAN:
Log on to the ECS instance and run the following commands to change the Gateway bind mode from loopback to lan (listen on all network interfaces):
openclaw config set gateway.bind lan openclaw gateway restartIn the ECS security group, add an inbound rule to allow TCP port 18789. We recommend that you restrict the authorized source to your office or home IP range, rather than
0.0.0.0/0.In your browser, navigate to
http://<ECS public IP>:18789.
WarningAfter you change to lan mode, the Gateway listens on all network interfaces (0.0.0.0). Make sure that you restrict access to port 18789 in the security group to avoid exposing the port to the Internet.
How do I use an encrypted API key?
To avoid transmitting API keys in plaintext, we recommend that you use the Cloud Assistant data encryption feature to encrypt API keys. After encryption, pass the key by using the following parameters:
ENCRYPTED_API_KEY: The encrypted API key. Specify either API_KEY or ENCRYPTED_API_KEY. You can generate an encrypted key by using Encrypt command content.KEY_PAIR_ID: The Cloud Assistant data encryption key pair ID. Required when you use ENCRYPTED_API_KEY.
CLI example:
aliyun ecs InvokeCommand \
--RegionId '<RegionId>' \
--CommandId 'ACS-ECS-InstallOpenClaw-for-linux.sh' \
--InstanceId.1 '<InstanceId>' \
--Parameters '{"AUTH_CHOICE":"modelstudio-standard-api-key-cn","ENCRYPTED_API_KEY":"<EncryptedKey>","KEY_PAIR_ID":"<OOSKeyPairId>"}'I purchased Model Studio Token Plan. How do I configure the installation parameters?
To install OpenClaw with Model Studio Token Plan, set AUTH_CHOICE to custom-api-key and configure the following parameters:
API_KEY: The dedicated API Key of the Token Plan Team Edition.BASE_URL: The API endpoint of Model Studio. For more information, see Token Plan Team Edition Base URL.MODEL_ID: A model supported by the Token Plan Team Edition.
What model providers does OpenClaw support?
The following table lists the supported values for the AUTH_CHOICE parameter. When you install or switch models, set AUTH_CHOICE to the corresponding value.
AUTH_CHOICE | Provider |
modelstudio-standard-api-key-cn | Qwen Standard Plan (Chinese mainland, pay-as-you-go) |
modelstudio-standard-api-key | Qwen Standard Plan (Global, pay-as-you-go) |
modelstudio-api-key-cn | Qwen Coding Plan (Chinese mainland, subscription) |
modelstudio-api-key | Qwen Coding Plan (Global, subscription) |
openai-api-key | OpenAI |
anthropic-api-key | Anthropic |
deepseek-api-key | DeepSeek |
gemini-api-key | Google Gemini |
mistral-api-key | Mistral AI |
openrouter-api-key | OpenRouter |
xai-api-key | xAI (Grok) |
volcengine-api-key | Volcengine |
byteplus-api-key | BytePlus |
qianfan-api-key | Baidu Qianfan |
moonshot-api-key | Moonshot AI / Kimi K2.5 (International) |
moonshot-api-key-cn | Moonshot AI / Kimi K2.5 (Chinese mainland) |
kimi-code-api-key | Kimi Code |
xiaomi-api-key | Xiaomi |
zai-api-key | Z.AI |
zai-coding-global | Z.AI Coding Plan (Global) |
zai-coding-cn | Z.AI Coding Plan (Chinese mainland) |
zai-global | Z.AI (Global) |
zai-cn | Z.AI (Chinese mainland) |
together-api-key | Together AI |
huggingface-api-key | Hugging Face |
venice-api-key | Venice AI |
kilocode-api-key | Kilo Gateway |
litellm-api-key | LiteLLM |
synthetic-api-key | Synthetic |
chutes-api-key | Chutes |
opencode-zen | OpenCode (Zen catalog) |
opencode-go | OpenCode (Go catalog) |
minimax-global-api | MiniMax (Global) |
minimax-cn-api | MiniMax (Chinese mainland) |
ai-gateway-api-key | Vercel AI Gateway |
custom-api-key | Custom endpoint (requires BASE_URL + MODEL_ID) |